By Sashnee Singh, Cybersecurity Business Lead, Marsh
Without significant regional claims data, creating accurate pricing models for cyber insurance has been challenging, which is why many insurers moved to technical rates of underwriting from a retention and premium threshold perspective.
Cyber insurance in sub-Saharan Africa is entering a firm market cycle, though not at the severity seen in other parts of the world.
Now that there is more claims activity and data is being amassed, it is evident that cyber risk has been thinly rated. To this end, we are seeing increases in the region of 50%, as well as a move of cyber to a catastrophe-type coverage.
African insurers are still very bullish in exploring and writing new business. There are huge growth opportunities within the region, particularly in Ghana, Botswana, Zambia, Nigeria, Tanzania, Namibia and South Africa, with the latter being the most mature of these markets.
While insurers in countries like South Africa have the appetite, there is still a need to go through international markets —mainly London — for solutions. This is particularly true when bespoke solutions are required and/or companies are buying high limits, and thus require access to markets that are able to offer considerable capacity. When going through international markets, however, the rating models will not operate in local currency. In South Africa where policies are in rand, it is not uncommon for there to be some impact from high currency conversion rates. Fortunately, there are workarounds that Marsh’s international network is able to tap into.
R50 million attack
The majority of cyber claims in sub-Saharan Africa relate to extortion and ransomware. Scenarios include the restoration of system integrity after encryption for a ransom fee; or the prevention of the leak of confidential, personal, or business information for a ransom fee. Generally, costs relate to incident response, lost revenue, and additional cost of working. This is all first-party cost losses, relating to incident response, business interruption, and extortion costs.
A healthcare organisation in South Africa experienced a major ransomware attack of this nature in 2020. It is estimated that the total claim may reach R50 million — the biggest claim in the region — and will have a considerable adverse impact on the insurer’s loss ratio when settled.
In sub-Saharan Africa, there are very few legal liability actions in this space. This is generally due to lack of customer awareness. In most African countries, there is no requirement to notify data-owners — whether they are customers, suppliers, or employees — that there has been a breach of information. This is further heightened by the absence of established information regulators in African countries. Most of the claims, as demonstrated above, focus on first-party losses.
As a result of no notification requirements, and no strong adverse regulatory response, the uptake of cyber insurance in sub-Saharan Africa has been relatively low. We did, however, see an uptick in 2018, predominantly from large corporates; this was in line with legislation in countries like Nigeria. Still, this was not a mass mid-market purchase, as it was perceived as quite an expensive class of insurance.
However, South Africa is set to see new data laws in the form of the Protection of Personal information Act (POPI) coming into force in July 2021. This places an onus on how companies acquire, share, secure, transfer and destroy private and sensitive information. Non-compliance may result in fines of up to R10 million, civil liability actions and, in extreme cases, jail time of up to 10 years.
It is worth noting that to bring a liability claim, financial loss must be demonstrated in South Africa. When legislation comes into force and can support causal links between loss of data and financial loss, we could possibly see a sharp increase in liability claims. With this said, as the country is known to not be particularly litigious, we are not expecting to see claims at levels seen in the US or UK.
As the regulation matures, we are prepared for an uptick, but we see first-party cost claims continuing to dominate.
Read Marsh’s Sub-Saharan Africa Insurance Market Update for insights into the key risks impacting markets, the current state of pricing, and possible future trends.